auth guard

Author: djyde

.gitignore

@@ -161,3 +161,4 @@ dist
 generated/*
 db.sqlite
 public/js
+widget/index.html

pages/api/comment/[commentId]/approve.ts

@@ -1,13 +1,26 @@
-import { NextApiRequest, NextApiResponse } from "next";
-import { CommentService } from "../../../../service/comment.service";
+import { NextApiRequest, NextApiResponse } from 'next'
+import { AuthService } from '../../../../service/auth.service'
+import { CommentService } from '../../../../service/comment.service'
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
   const commentService = new CommentService(req)
+  const authService = new AuthService(req, res)
 
   if (req.method === 'POST') {
-    await commentService.approve(req.query.commentId as string)
+    const commentId = req.query.commentId as string
+
+    // only project owner can approve
+    const project = await commentService.getProject(commentId)
+    if (!(await authService.projectOwnerGuard(project))) {
+      return
+    }
+
+    await commentService.approve(commentId)
     res.json({
-      message: 'success'
+      message: 'success',
     })
   }
-}
+}

pages/api/comment/[commentId]/replyAsModerator.ts

@@ -1,15 +1,30 @@
-import { NextApiRequest, NextApiResponse } from "next";
-import { CommentService } from "../../../../service/comment.service";
+import { NextApiRequest, NextApiResponse } from 'next'
+import { AuthService } from '../../../../service/auth.service'
+import { CommentService } from '../../../../service/comment.service'
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
   const commentService = new CommentService(req)
+  const authService = new AuthService(req, res)
+
   if (req.method === 'POST') {
     const body = req.body as {
       content: string
     }
-    const created = await commentService.addCommentAsModerator(req.query.commentId as string, body.content)
+    const commentId = req.query.commentId as string
+
+    const project = await commentService.getProject(commentId)
+    if (!(await authService.projectOwnerGuard(project))) {
+      return
+    }
+    const created = await commentService.addCommentAsModerator(
+      commentId,
+      body.content,
+    )
     res.json({
-      data: created
+      data: created,
     })
   }
-}
+}

pages/api/project/[projectId]/comments.ts

@@ -1,4 +1,6 @@
+import { Project } from '.prisma/client'
 import { NextApiRequest, NextApiResponse } from 'next'
+import { AuthService } from '../../../../service/auth.service'
 import { CommentService } from '../../../../service/comment.service'
 import { ProjectService } from '../../../../service/project.service'
 
@@ -8,18 +10,32 @@ export default async function handler(
 ) {
   const projectService = new ProjectService(req)
   const commentService = new CommentService(req)
+  const authService = new AuthService(req, res)
   if (req.method === 'GET') {
     const { projectId, page } = req.query as {
       projectId: string
       page: string
     }
+
+    // only owner can get comments
+    const project = await projectService.get(projectId, {
+      select: {
+        ownerId: true
+      }
+    }) as Pick<Project, "ownerId">
+
+    if (!await authService.projectOwnerGuard(project)) {
+      return
+    }
+
     const comments = await commentService.getComments(projectId, {
       parentId: null,
       page: Number(page),
       onlyOwn: true,
       select: {
         by_nickname: true,
         by_email: true,
+        approved: true
       },
     })
     res.json({

pages/api/project/[projectId]/data/import.ts

@@ -1,47 +1,64 @@
-import { NextApiRequest, NextApiResponse } from "next";
+import { NextApiRequest, NextApiResponse } from 'next'
 
-import formidable from "formidable";
-import { DataService } from "../../../../../service/data.service";
-import * as fs from "fs";
+import formidable from 'formidable'
+import { DataService } from '../../../../../service/data.service'
+import * as fs from 'fs'
+import { AuthService } from '../../../../../service/auth.service'
+import { ProjectService } from '../../../../../service/project.service'
+import { Project } from '@prisma/client'
 
 export const config = {
   api: {
     bodyParser: false,
   },
-};
+}
 
 export default async function handler(
   req: NextApiRequest,
-  res: NextApiResponse
+  res: NextApiResponse,
 ) {
-  if (req.method === "POST") {
-    const form = new formidable.IncomingForm();
+  const authService = new AuthService(req, res)
+  const projectService = new ProjectService(req)
+
+  if (req.method === 'POST') {
+    const form = new formidable.IncomingForm()
 
-    const dataService = new DataService();
+    const dataService = new DataService()
 
     const { projectId } = req.query as {
-      projectId: string;
-    };
+      projectId: string
+    }
+
+    // only owner can import
+    const project = (await projectService.get(projectId, {
+      select: {
+        ownerId: true,
+      },
+    })) as Pick<Project, 'ownerId'>
+
+    if (!(await authService.projectOwnerGuard(project))) {
+      return
+    }
 
     form.parse(req, async (err, fields, files) => {
       if (err) {
         res.status(503)
         res.json({
-          message: err.message
+          message: err.message,
         })
         return
       }
 
       const imported = await dataService.importFromDisqus(
         projectId,
-        fs.readFileSync(files.file.path, { encoding: "utf-8" })
-      );
+        fs.readFileSync(files.file.path, { encoding: 'utf-8' }),
+      )
       res.json({
         data: {
           pageCount: imported.threads.length,
-          commentCount: imported.posts.length
+          commentCount: imported.posts.length,
         },
-      });
-    });
+      })
+    })
   }
 }

pages/dashboard/project/[projectId].tsx

@@ -1,6 +1,6 @@
 import { Box, Breadcrumb, BreadcrumbItem, BreadcrumbLink, Button, Center, Container, Divider, Flex, FormControl, Heading, HStack, Input, Link, Spacer, Spinner, StackDivider, Tab, TabList, TabPanel, TabPanels, Tabs, Tag, Text, Textarea, toast, useToast, VStack } from '@chakra-ui/react'
 import { Comment, Page, Project } from '@prisma/client'
-import { signIn } from 'next-auth/client'
+import { session, signIn } from 'next-auth/client'
 import { useRouter } from 'next/router'
 import React from 'react'
 import { useMutation, useQuery } from 'react-query'
@@ -170,8 +170,14 @@ function ProjectPage(props: {
   session: UserSession
 }) {
 
+  React.useEffect(() => {
+    if (!props.session) {
+      signIn()
+    }
+  }, [!props.session])
+
   if (!props.session) {
-    signIn()
+    return <div>Redirecting to signin..</div>
   }
 
   const [page, setPage] = React.useState(1)
@@ -306,13 +312,25 @@ function Settings(props: {
 
 export async function getServerSideProps(ctx) {
   const projectService = new ProjectService(ctx.req)
+  const session = await getSession(ctx.req)
   const project = await projectService.get(ctx.query.projectId)
+
+  if (session && (project.ownerId !== session.uid)) {
+    return {
+      redirect: {
+        destination: '/forbidden',
+        permanent: false
+      }
+    }
+  }
+
   return {
     props: {
       session: await getSession(ctx.req),
       project: {
         id: project.id,
-        title: project.title
+        title: project.title,
+        ownerId: project.ownerId
       }
     }
   }

pages/forbidden.tsx

@@ -0,0 +1,17 @@
+function ForbiddenPage() {
+  return (
+    <>
+      Forbidden
+    </>
+  )
+}
+
+export async function getServerSideProps(ctx) {
+  return {
+    props: {
+      
+    }
+  }
+}
+
+export default ForbiddenPage

service/auth.service.ts

@@ -0,0 +1,36 @@
+import { Project } from '.prisma/client'
+import { RequestScopeService } from '.'
+
+export class AuthService extends RequestScopeService {
+  constructor(req, private res) {
+    super(req)
+  }
+
+  async authGuard() {
+    const session = await this.getSession()
+    if (!session) {
+      this.res.status(403).json({
+        message: 'Sign in required',
+      })
+      return null
+    }
+    return session
+  }
+
+  async projectOwnerGuard(project: Pick<Project, 'ownerId'>) {
+    const session = await this.authGuard()
+
+    if (!session) {
+      return null
+    }
+
+    if (project.ownerId !== session.uid) {
+      this.res.status(403).json({
+        message: 'Permission denied',
+      })
+      return null
+    } else {
+      return true
+    }
+  }
+}

service/comment.service.ts

@@ -94,6 +94,28 @@ export class CommentService extends RequestScopeService {
     return allComments as any[]
   }
 
+  async getProject(commentId: string) {
+    const res = await prisma.comment.findUnique({
+      where: {
+        id: commentId
+      },
+      select: {
+        page: {
+          select: {
+            project: {
+              select: {
+                id: true,
+                ownerId: true
+              }
+            }
+          }
+        }
+      }
+    })
+
+    return res.page.project
+  }
+
   async addComment(
     projectId: string,
     pageSlug: string,

service/project.service.ts

@@ -1,4 +1,4 @@
-import { User } from "@prisma/client";
+import { Prisma, User } from "@prisma/client";
 import { RequestScopeService } from ".";
 import { prisma } from "../utils.server";
 
@@ -20,11 +20,14 @@ export class ProjectService extends RequestScopeService {
     return created
   }
 
-  async get(projectId: string) {
+  async get(projectId: string, options?: {
+    select?: Prisma.ProjectSelect
+  }) {
     const project = await prisma.project.findUnique({
       where: {
         id: projectId
-      }
+      },
+      select: options?.select
     })
 
     return project